Remote Logging and Log Management
It’s considered good practice to send log messages to a remote dedicated log host as they happen. This way an attacker can’t get to the logs and change them; an analogy for this is the drop safe used for large bills at convenience stores.
The Windows event logging model cannot be configured to log to remote hosts, since the message formatting relies on the local application that logged the event. As a result, we must find another way to do remote logging.
Remote Logging Using Syslog
The
syslog protocol is the de facto standard for
remote logging. It’s a UDP-based protocol (udp/514), which does
not guarantee delivery.
There are several Windows event log-to-syslog
agents available. Generally, they work in the following way:
The agent waits for new events to arrive in the event logs.
When they do arrive, the agent sends the events as syslog messages to the log hosts. A log host is usually a Unix system running the
syslogdaemon or a Windows system running asyslogservice.The
syslogserver is often placed on a separate management network in the perimeter.
The syslog client—NTsyslog
When it comes to syslog clients, I recommend
using the NTsyslog
package developed by Jason R. Rhoads. NTsyslog is an open source (GPL)
syslog client. Mr. Rhoads provides both the
source code and a precompiled binary at his security-focused Sabernet
web site
(
http://www.sabernet.net/software/ntsyslog.html
).
NTsyslog runs as a service. It’s installed by copying the executable ( ...
Get Securing Windows NT/2000 Servers for the Internet now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
